CVE-2016-10744
XSS vulnerability in select2 (npm)
What is CVE-2016-10744 About?
This vulnerability allows for Cross-Site Scripting (XSS) in Select2 through version 4.0.5, specifically when rich selectlists are used with Ajax remote data loading and HTML templates. Attackers can inject malicious scripts into listbox data, which will execute in the user's browser, leading to session hijacking or data theft. Exploitation requires user interaction with the compromised selectlist and depends on the application's use of specific Select2 features, making it moderately difficult to consistently exploit broadly.
Affected Software
Technical Details
The vulnerability manifests as Cross-Site Scripting (XSS) within the Select2 library, specifically versions up to 4.0.5. It occurs in use cases where 'rich selectlists' are populated via Ajax remote data loading and HTML templates are employed to display listbox data. An attacker can inject malicious HTML and JavaScript into the data fetched remotely. When Select2 renders this data using HTML templates, it fails to properly sanitize the input, leading to the execution of the injected script in the context of the user's browser. This allows for client-side attacks such as cookie theft, redirection, or defacement.
What is the Impact of CVE-2016-10744?
Successful exploitation may allow attackers to execute arbitrary scripts in the context of the victim's browser, leading to session hijacking, defacement of web content, redirection to malicious sites, or unauthorized data access.
What is the Exploitability of CVE-2016-10744?
Exploitation of this XSS vulnerability generally requires an authenticated user to load a page containing a vulnerable Select2 rich selectlist that fetches attacker-controlled content via Ajax. The complexity is moderate, requiring knowledge of the specific application's implementation of Select2 and the ability to inject malicious content into the data source. No specific authentication is required on the attacker's part beyond being able to provide or influence the data displayed in the selectlist. Access is remote, as the attack is delivered via a web application. The primary constraint is the reliance on the application's use of HTML templates for listbox data rendering and attacker-controlled remote data. Factors increasing likelihood include user trust in the application and common use of rich selectlists.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-10744?
Available Upgrade Options
- select2
- <4.0.6 → Upgrade to 4.0.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/snipe/snipe-it/pull/6831/commits/5848d9a10c7d62c73ff6a3858edfae96a429402a
- https://github.com/snipe/snipe-it/pull/6831
- https://osv.dev/vulnerability/GHSA-rf66-hmqf-q3fc
- https://github.com/select2/select2/issues/4587
- https://github.com/snipe/snipe-it/pull/6831
- https://github.com/select2/select2/issues/4587
- https://github.com/select2/select2
- https://github.com/snipe/snipe-it/pull/6831/commits/5848d9a10c7d62c73ff6a3858edfae96a429402a
- https://nvd.nist.gov/vuln/detail/CVE-2016-10744
What are Similar Vulnerabilities to CVE-2016-10744?
Similar Vulnerabilities: CVE-2017-7667 , CVE-2019-11510 , CVE-2020-13936 , CVE-2021-23337 , CVE-2021-21315
